Legal Order as Deterrence in Cyberspace

Centre’s researcher Anna-Maria Osula spoke at the recent Lennart Meri Conference and reflects on offensive cyber capabilities, ‘norms of behaviour’ and deterrence.

Different national strategies confirm that some States have been developing offensive cyber capabilities for years. This seems to be an inevitable trend that cannot be reversed. For example, both the Netherlands and Finland have stated in their national strategies that they aim to develop military capability to conduct cyber [offensive] operations, or create a comprehensive cyber defence capability that also include cyber attack capabilities. Most recently, in the end of April 2015 the US Department of Defence (DOD) published its renewed cyber security strategy that, more openly than ever, asserted that: 1) DOD has developed capabilities for cyber operations and is integrating those capabilities into other tools that the US uses to defend its national interests, and 2) there may be circumstances under which the US military may conduct cyber operations to disrupt an adversary’s military related networks or infrastructure. The strategy also offers a brief assessment on the cyber capabilities of Russia, China, Iran and North-Korea.

Clearly, stating the development or existence of such capabilities functions as deterrence that attempts to dissuade the possible adversary from launching cyber operations against you. This goal is also evident in the new US Strategy that aims to provide deterrence through a combination of different measures, including diplomatic, informational, military, economic, financial, and law enforcement tools.

In addition to the above, law in general is to be viewed as a deterrent. Ideally, commonly agreed international legal norms provide legal clarity and predictability that allow States to foresee with certainty which actions would be considered violating legal frameworks, and what are the legal remedies to be used in case of cyber operations having been launched against a State. In combination with other deterring elements such as investigative measures and a functional judicial system, the deterring nature of legal order should not be underestimated.

Discussions on norms of behaviour in cyberspace have been on-going for years. Perhaps the most prominent venue has been the United Nations Group of Governmental Experts that in 2013 reached a ‘landmark consensus’ between 15 participating States that international law, in particular the UN Charter, applies to cyberspace. However, with little agreement on how international law applies to cyberspace, the possible deterring character of legal norms is yet to reach its full potential. To that end, before expecting an agreement on norms on an international or even bilateral level, States need to settle on the interpretation of international legal norms internally by engaging relevant national actors.

Here, academic initiatives such as the Tallinn Manual – a project launched and facilitated by the  NATO Cooperative Cyber Defence Centre of Excellence  that set forth the views of a group of highly regarded law professors and practitioners – is certainly a valuable tool for national legal advisors. However, as underlined by the Tallinn Manual itself, further interpretation and development of international law requires further evidence on State practice and publicly available opinio iuris. Unless States become more transparent about their capabilities as well as policies and rules in using them, it will remain challenging to reach deterrence in the increasingly complex cyber threat environment.

Based on a presentation given at Lennart Meri Conference, during the panel “Offensive Cyber: Necessary Evil or Pandora’s Box?”. Responsibility for the information and views expressed above lies entirely with the author. The content does not reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence, NATO or any other entity. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources.